]>
Commit | Line | Data |
---|---|---|
9dd5cca4 PMD |
1 | /* |
2 | * ARM debug helpers. | |
3 | * | |
4 | * This code is licensed under the GNU GPL v2 or later. | |
5 | * | |
6 | * SPDX-License-Identifier: GPL-2.0-or-later | |
7 | */ | |
8 | #include "qemu/osdep.h" | |
f43ee493 | 9 | #include "qemu/log.h" |
9dd5cca4 PMD |
10 | #include "cpu.h" |
11 | #include "internals.h" | |
5a534314 | 12 | #include "cpu-features.h" |
f43ee493 | 13 | #include "cpregs.h" |
9dd5cca4 PMD |
14 | #include "exec/exec-all.h" |
15 | #include "exec/helper-proto.h" | |
2059ec75 | 16 | #include "sysemu/tcg.h" |
9dd5cca4 | 17 | |
2059ec75 | 18 | #ifdef CONFIG_TCG |
38e8a13c RH |
19 | /* Return the Exception Level targeted by debug exceptions. */ |
20 | static int arm_debug_target_el(CPUARMState *env) | |
21 | { | |
22 | bool secure = arm_is_secure(env); | |
23 | bool route_to_el2 = false; | |
24 | ||
5d78893f PM |
25 | if (arm_feature(env, ARM_FEATURE_M)) { |
26 | return 1; | |
27 | } | |
28 | ||
38e8a13c RH |
29 | if (arm_is_el2_enabled(env)) { |
30 | route_to_el2 = env->cp15.hcr_el2 & HCR_TGE || | |
31 | env->cp15.mdcr_el2 & MDCR_TDE; | |
32 | } | |
33 | ||
34 | if (route_to_el2) { | |
35 | return 2; | |
36 | } else if (arm_feature(env, ARM_FEATURE_EL3) && | |
37 | !arm_el_is_aa64(env, 3) && secure) { | |
38 | return 3; | |
39 | } else { | |
40 | return 1; | |
41 | } | |
42 | } | |
43 | ||
04eacf6e RH |
44 | /* |
45 | * Raise an exception to the debug target el. | |
46 | * Modify syndrome to indicate when origin and target EL are the same. | |
47 | */ | |
48 | G_NORETURN static void | |
49 | raise_exception_debug(CPUARMState *env, uint32_t excp, uint32_t syndrome) | |
50 | { | |
51 | int debug_el = arm_debug_target_el(env); | |
52 | int cur_el = arm_current_el(env); | |
53 | ||
54 | /* | |
55 | * If singlestep is targeting a lower EL than the current one, then | |
56 | * DisasContext.ss_active must be false and we can never get here. | |
57 | * Similarly for watchpoint and breakpoint matches. | |
58 | */ | |
59 | assert(debug_el >= cur_el); | |
60 | syndrome |= (debug_el == cur_el) << ARM_EL_EC_SHIFT; | |
61 | raise_exception(env, excp, syndrome, debug_el); | |
62 | } | |
63 | ||
31c8df53 RH |
64 | /* See AArch64.GenerateDebugExceptionsFrom() in ARM ARM pseudocode */ |
65 | static bool aa64_generate_debug_exceptions(CPUARMState *env) | |
66 | { | |
67 | int cur_el = arm_current_el(env); | |
68 | int debug_el; | |
69 | ||
70 | if (cur_el == 3) { | |
71 | return false; | |
72 | } | |
73 | ||
74 | /* MDCR_EL3.SDD disables debug events from Secure state */ | |
75 | if (arm_is_secure_below_el3(env) | |
76 | && extract32(env->cp15.mdcr_el3, 16, 1)) { | |
77 | return false; | |
78 | } | |
79 | ||
80 | /* | |
81 | * Same EL to same EL debug exceptions need MDSCR_KDE enabled | |
82 | * while not masking the (D)ebug bit in DAIF. | |
83 | */ | |
84 | debug_el = arm_debug_target_el(env); | |
85 | ||
86 | if (cur_el == debug_el) { | |
87 | return extract32(env->cp15.mdscr_el1, 13, 1) | |
88 | && !(env->daif & PSTATE_D); | |
89 | } | |
90 | ||
91 | /* Otherwise the debug target needs to be a higher EL */ | |
92 | return debug_el > cur_el; | |
93 | } | |
94 | ||
95 | static bool aa32_generate_debug_exceptions(CPUARMState *env) | |
96 | { | |
97 | int el = arm_current_el(env); | |
98 | ||
99 | if (el == 0 && arm_el_is_aa64(env, 1)) { | |
100 | return aa64_generate_debug_exceptions(env); | |
101 | } | |
102 | ||
103 | if (arm_is_secure(env)) { | |
104 | int spd; | |
105 | ||
106 | if (el == 0 && (env->cp15.sder & 1)) { | |
107 | /* | |
108 | * SDER.SUIDEN means debug exceptions from Secure EL0 | |
109 | * are always enabled. Otherwise they are controlled by | |
110 | * SDCR.SPD like those from other Secure ELs. | |
111 | */ | |
112 | return true; | |
113 | } | |
114 | ||
115 | spd = extract32(env->cp15.mdcr_el3, 14, 2); | |
116 | switch (spd) { | |
117 | case 1: | |
118 | /* SPD == 0b01 is reserved, but behaves as 0b00. */ | |
119 | case 0: | |
120 | /* | |
121 | * For 0b00 we return true if external secure invasive debug | |
122 | * is enabled. On real hardware this is controlled by external | |
123 | * signals to the core. QEMU always permits debug, and behaves | |
124 | * as if DBGEN, SPIDEN, NIDEN and SPNIDEN are all tied high. | |
125 | */ | |
126 | return true; | |
127 | case 2: | |
128 | return false; | |
129 | case 3: | |
130 | return true; | |
131 | } | |
132 | } | |
133 | ||
134 | return el != 2; | |
135 | } | |
136 | ||
137 | /* | |
138 | * Return true if debugging exceptions are currently enabled. | |
139 | * This corresponds to what in ARM ARM pseudocode would be | |
140 | * if UsingAArch32() then | |
141 | * return AArch32.GenerateDebugExceptions() | |
142 | * else | |
143 | * return AArch64.GenerateDebugExceptions() | |
144 | * We choose to push the if() down into this function for clarity, | |
145 | * since the pseudocode has it at all callsites except for the one in | |
146 | * CheckSoftwareStep(), where it is elided because both branches would | |
147 | * always return the same value. | |
148 | */ | |
149 | bool arm_generate_debug_exceptions(CPUARMState *env) | |
150 | { | |
f94a6df5 | 151 | if ((env->cp15.oslsr_el1 & 1) || (env->cp15.osdlr_el1 & 1)) { |
40b20027 PM |
152 | return false; |
153 | } | |
831c1b10 | 154 | if (is_a64(env)) { |
31c8df53 RH |
155 | return aa64_generate_debug_exceptions(env); |
156 | } else { | |
157 | return aa32_generate_debug_exceptions(env); | |
158 | } | |
159 | } | |
160 | ||
55ba15b7 RH |
161 | /* |
162 | * Is single-stepping active? (Note that the "is EL_D AArch64?" check | |
163 | * implicitly means this always returns false in pre-v8 CPUs.) | |
164 | */ | |
165 | bool arm_singlestep_active(CPUARMState *env) | |
166 | { | |
167 | return extract32(env->cp15.mdscr_el1, 0, 1) | |
168 | && arm_el_is_aa64(env, arm_debug_target_el(env)) | |
169 | && arm_generate_debug_exceptions(env); | |
170 | } | |
171 | ||
9dd5cca4 PMD |
172 | /* Return true if the linked breakpoint entry lbn passes its checks */ |
173 | static bool linked_bp_matches(ARMCPU *cpu, int lbn) | |
174 | { | |
175 | CPUARMState *env = &cpu->env; | |
176 | uint64_t bcr = env->cp15.dbgbcr[lbn]; | |
88ce6c6e PM |
177 | int brps = arm_num_brps(cpu); |
178 | int ctx_cmps = arm_num_ctx_cmps(cpu); | |
9dd5cca4 PMD |
179 | int bt; |
180 | uint32_t contextidr; | |
e2a1a461 | 181 | uint64_t hcr_el2; |
9dd5cca4 PMD |
182 | |
183 | /* | |
184 | * Links to unimplemented or non-context aware breakpoints are | |
185 | * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or | |
186 | * as if linked to an UNKNOWN context-aware breakpoint (in which | |
187 | * case DBGWCR<n>_EL1.LBN must indicate that breakpoint). | |
188 | * We choose the former. | |
189 | */ | |
88ce6c6e | 190 | if (lbn >= brps || lbn < (brps - ctx_cmps)) { |
9dd5cca4 PMD |
191 | return false; |
192 | } | |
193 | ||
194 | bcr = env->cp15.dbgbcr[lbn]; | |
195 | ||
196 | if (extract64(bcr, 0, 1) == 0) { | |
197 | /* Linked breakpoint disabled : generate no events */ | |
198 | return false; | |
199 | } | |
200 | ||
201 | bt = extract64(bcr, 20, 4); | |
e2a1a461 | 202 | hcr_el2 = arm_hcr_el2_eff(env); |
9dd5cca4 PMD |
203 | |
204 | switch (bt) { | |
205 | case 3: /* linked context ID match */ | |
e2a1a461 RH |
206 | switch (arm_current_el(env)) { |
207 | default: | |
208 | /* Context matches never fire in AArch64 EL3 */ | |
9dd5cca4 | 209 | return false; |
e2a1a461 RH |
210 | case 2: |
211 | if (!(hcr_el2 & HCR_E2H)) { | |
212 | /* Context matches never fire in EL2 without E2H enabled. */ | |
213 | return false; | |
214 | } | |
215 | contextidr = env->cp15.contextidr_el[2]; | |
216 | break; | |
217 | case 1: | |
218 | contextidr = env->cp15.contextidr_el[1]; | |
219 | break; | |
220 | case 0: | |
221 | if ((hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) { | |
222 | contextidr = env->cp15.contextidr_el[2]; | |
223 | } else { | |
224 | contextidr = env->cp15.contextidr_el[1]; | |
225 | } | |
226 | break; | |
9dd5cca4 | 227 | } |
e2a1a461 RH |
228 | break; |
229 | ||
230 | case 7: /* linked contextidr_el1 match */ | |
231 | contextidr = env->cp15.contextidr_el[1]; | |
232 | break; | |
233 | case 13: /* linked contextidr_el2 match */ | |
234 | contextidr = env->cp15.contextidr_el[2]; | |
235 | break; | |
236 | ||
9dd5cca4 PMD |
237 | case 9: /* linked VMID match (reserved if no EL2) */ |
238 | case 11: /* linked context ID and VMID match (reserved if no EL2) */ | |
e2a1a461 | 239 | case 15: /* linked full context ID match */ |
9dd5cca4 PMD |
240 | default: |
241 | /* | |
242 | * Links to Unlinked context breakpoints must generate no | |
243 | * events; we choose to do the same for reserved values too. | |
244 | */ | |
245 | return false; | |
246 | } | |
247 | ||
e2a1a461 RH |
248 | /* |
249 | * We match the whole register even if this is AArch32 using the | |
250 | * short descriptor format (in which case it holds both PROCID and ASID), | |
251 | * since we don't implement the optional v7 context ID masking. | |
252 | */ | |
253 | return contextidr == (uint32_t)env->cp15.dbgbvr[lbn]; | |
9dd5cca4 PMD |
254 | } |
255 | ||
256 | static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp) | |
257 | { | |
258 | CPUARMState *env = &cpu->env; | |
259 | uint64_t cr; | |
260 | int pac, hmc, ssc, wt, lbn; | |
261 | /* | |
262 | * Note that for watchpoints the check is against the CPU security | |
263 | * state, not the S/NS attribute on the offending data access. | |
264 | */ | |
265 | bool is_secure = arm_is_secure(env); | |
266 | int access_el = arm_current_el(env); | |
267 | ||
268 | if (is_wp) { | |
269 | CPUWatchpoint *wp = env->cpu_watchpoint[n]; | |
270 | ||
271 | if (!wp || !(wp->flags & BP_WATCHPOINT_HIT)) { | |
272 | return false; | |
273 | } | |
274 | cr = env->cp15.dbgwcr[n]; | |
275 | if (wp->hitattrs.user) { | |
276 | /* | |
277 | * The LDRT/STRT/LDT/STT "unprivileged access" instructions should | |
278 | * match watchpoints as if they were accesses done at EL0, even if | |
279 | * the CPU is at EL1 or higher. | |
280 | */ | |
281 | access_el = 0; | |
282 | } | |
283 | } else { | |
284 | uint64_t pc = is_a64(env) ? env->pc : env->regs[15]; | |
285 | ||
286 | if (!env->cpu_breakpoint[n] || env->cpu_breakpoint[n]->pc != pc) { | |
287 | return false; | |
288 | } | |
289 | cr = env->cp15.dbgbcr[n]; | |
290 | } | |
291 | /* | |
292 | * The WATCHPOINT_HIT flag guarantees us that the watchpoint is | |
293 | * enabled and that the address and access type match; for breakpoints | |
294 | * we know the address matched; check the remaining fields, including | |
295 | * linked breakpoints. We rely on WCR and BCR having the same layout | |
296 | * for the LBN, SSC, HMC, PAC/PMC and is-linked fields. | |
297 | * Note that some combinations of {PAC, HMC, SSC} are reserved and | |
298 | * must act either like some valid combination or as if the watchpoint | |
299 | * were disabled. We choose the former, and use this together with | |
300 | * the fact that EL3 must always be Secure and EL2 must always be | |
301 | * Non-Secure to simplify the code slightly compared to the full | |
302 | * table in the ARM ARM. | |
303 | */ | |
8b7a5bbe RH |
304 | pac = FIELD_EX64(cr, DBGWCR, PAC); |
305 | hmc = FIELD_EX64(cr, DBGWCR, HMC); | |
306 | ssc = FIELD_EX64(cr, DBGWCR, SSC); | |
9dd5cca4 PMD |
307 | |
308 | switch (ssc) { | |
309 | case 0: | |
310 | break; | |
311 | case 1: | |
312 | case 3: | |
313 | if (is_secure) { | |
314 | return false; | |
315 | } | |
316 | break; | |
317 | case 2: | |
318 | if (!is_secure) { | |
319 | return false; | |
320 | } | |
321 | break; | |
322 | } | |
323 | ||
324 | switch (access_el) { | |
325 | case 3: | |
326 | case 2: | |
327 | if (!hmc) { | |
328 | return false; | |
329 | } | |
330 | break; | |
331 | case 1: | |
332 | if (extract32(pac, 0, 1) == 0) { | |
333 | return false; | |
334 | } | |
335 | break; | |
336 | case 0: | |
337 | if (extract32(pac, 1, 1) == 0) { | |
338 | return false; | |
339 | } | |
340 | break; | |
341 | default: | |
342 | g_assert_not_reached(); | |
343 | } | |
344 | ||
8b7a5bbe RH |
345 | wt = FIELD_EX64(cr, DBGWCR, WT); |
346 | lbn = FIELD_EX64(cr, DBGWCR, LBN); | |
9dd5cca4 PMD |
347 | |
348 | if (wt && !linked_bp_matches(cpu, lbn)) { | |
349 | return false; | |
350 | } | |
351 | ||
352 | return true; | |
353 | } | |
354 | ||
355 | static bool check_watchpoints(ARMCPU *cpu) | |
356 | { | |
357 | CPUARMState *env = &cpu->env; | |
358 | int n; | |
359 | ||
360 | /* | |
361 | * If watchpoints are disabled globally or we can't take debug | |
362 | * exceptions here then watchpoint firings are ignored. | |
363 | */ | |
364 | if (extract32(env->cp15.mdscr_el1, 15, 1) == 0 | |
365 | || !arm_generate_debug_exceptions(env)) { | |
366 | return false; | |
367 | } | |
368 | ||
369 | for (n = 0; n < ARRAY_SIZE(env->cpu_watchpoint); n++) { | |
370 | if (bp_wp_matches(cpu, n, true)) { | |
371 | return true; | |
372 | } | |
373 | } | |
374 | return false; | |
375 | } | |
376 | ||
b00d86bc | 377 | bool arm_debug_check_breakpoint(CPUState *cs) |
9dd5cca4 | 378 | { |
b00d86bc | 379 | ARMCPU *cpu = ARM_CPU(cs); |
9dd5cca4 | 380 | CPUARMState *env = &cpu->env; |
8dc89f1f | 381 | target_ulong pc; |
9dd5cca4 PMD |
382 | int n; |
383 | ||
384 | /* | |
385 | * If breakpoints are disabled globally or we can't take debug | |
386 | * exceptions here then breakpoint firings are ignored. | |
387 | */ | |
388 | if (extract32(env->cp15.mdscr_el1, 15, 1) == 0 | |
389 | || !arm_generate_debug_exceptions(env)) { | |
390 | return false; | |
391 | } | |
392 | ||
8dc89f1f RH |
393 | /* |
394 | * Single-step exceptions have priority over breakpoint exceptions. | |
395 | * If single-step state is active-pending, suppress the bp. | |
396 | */ | |
397 | if (arm_singlestep_active(env) && !(env->pstate & PSTATE_SS)) { | |
398 | return false; | |
399 | } | |
400 | ||
401 | /* | |
402 | * PC alignment faults have priority over breakpoint exceptions. | |
403 | */ | |
404 | pc = is_a64(env) ? env->pc : env->regs[15]; | |
405 | if ((is_a64(env) || !env->thumb) && (pc & 3) != 0) { | |
406 | return false; | |
407 | } | |
408 | ||
409 | /* | |
410 | * Instruction aborts have priority over breakpoint exceptions. | |
411 | * TODO: We would need to look up the page for PC and verify that | |
412 | * it is present and executable. | |
413 | */ | |
414 | ||
9dd5cca4 PMD |
415 | for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) { |
416 | if (bp_wp_matches(cpu, n, false)) { | |
417 | return true; | |
418 | } | |
419 | } | |
420 | return false; | |
421 | } | |
422 | ||
9dd5cca4 PMD |
423 | bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp) |
424 | { | |
425 | /* | |
426 | * Called by core code when a CPU watchpoint fires; need to check if this | |
427 | * is also an architectural watchpoint match. | |
428 | */ | |
429 | ARMCPU *cpu = ARM_CPU(cs); | |
430 | ||
431 | return check_watchpoints(cpu); | |
432 | } | |
433 | ||
a853e3ae RH |
434 | /* |
435 | * Return the FSR value for a debug exception (watchpoint, hardware | |
436 | * breakpoint or BKPT insn) targeting the specified exception level. | |
437 | */ | |
438 | static uint32_t arm_debug_exception_fsr(CPUARMState *env) | |
439 | { | |
440 | ARMMMUFaultInfo fi = { .type = ARMFault_Debug }; | |
441 | int target_el = arm_debug_target_el(env); | |
5d78893f | 442 | bool using_lpae; |
a853e3ae | 443 | |
5d78893f PM |
444 | if (arm_feature(env, ARM_FEATURE_M)) { |
445 | using_lpae = false; | |
446 | } else if (target_el == 2 || arm_el_is_aa64(env, target_el)) { | |
a853e3ae | 447 | using_lpae = true; |
452c67a4 TR |
448 | } else if (arm_feature(env, ARM_FEATURE_PMSA) && |
449 | arm_feature(env, ARM_FEATURE_V8)) { | |
450 | using_lpae = true; | |
5d78893f PM |
451 | } else if (arm_feature(env, ARM_FEATURE_LPAE) && |
452 | (env->cp15.tcr_el[target_el] & TTBCR_EAE)) { | |
453 | using_lpae = true; | |
a853e3ae | 454 | } else { |
5d78893f | 455 | using_lpae = false; |
a853e3ae RH |
456 | } |
457 | ||
458 | if (using_lpae) { | |
459 | return arm_fi_to_lfsc(&fi); | |
460 | } else { | |
461 | return arm_fi_to_sfsc(&fi); | |
462 | } | |
463 | } | |
464 | ||
9dd5cca4 PMD |
465 | void arm_debug_excp_handler(CPUState *cs) |
466 | { | |
467 | /* | |
468 | * Called by core code when a watchpoint or breakpoint fires; | |
469 | * need to check which one and raise the appropriate exception. | |
470 | */ | |
471 | ARMCPU *cpu = ARM_CPU(cs); | |
472 | CPUARMState *env = &cpu->env; | |
473 | CPUWatchpoint *wp_hit = cs->watchpoint_hit; | |
474 | ||
475 | if (wp_hit) { | |
476 | if (wp_hit->flags & BP_CPU) { | |
477 | bool wnr = (wp_hit->flags & BP_WATCHPOINT_HIT_WRITE) != 0; | |
9dd5cca4 PMD |
478 | |
479 | cs->watchpoint_hit = NULL; | |
480 | ||
481 | env->exception.fsr = arm_debug_exception_fsr(env); | |
482 | env->exception.vaddress = wp_hit->hitaddr; | |
04eacf6e RH |
483 | raise_exception_debug(env, EXCP_DATA_ABORT, |
484 | syn_watchpoint(0, 0, wnr)); | |
9dd5cca4 PMD |
485 | } |
486 | } else { | |
487 | uint64_t pc = is_a64(env) ? env->pc : env->regs[15]; | |
9dd5cca4 PMD |
488 | |
489 | /* | |
490 | * (1) GDB breakpoints should be handled first. | |
491 | * (2) Do not raise a CPU exception if no CPU breakpoint has fired, | |
492 | * since singlestep is also done by generating a debug internal | |
493 | * exception. | |
494 | */ | |
495 | if (cpu_breakpoint_test(cs, pc, BP_GDB) | |
496 | || !cpu_breakpoint_test(cs, pc, BP_CPU)) { | |
497 | return; | |
498 | } | |
499 | ||
500 | env->exception.fsr = arm_debug_exception_fsr(env); | |
501 | /* | |
502 | * FAR is UNKNOWN: clear vaddress to avoid potentially exposing | |
503 | * values to the guest that it shouldn't be able to see at its | |
504 | * exception/security level. | |
505 | */ | |
506 | env->exception.vaddress = 0; | |
04eacf6e | 507 | raise_exception_debug(env, EXCP_PREFETCH_ABORT, syn_breakpoint(0)); |
9dd5cca4 PMD |
508 | } |
509 | } | |
510 | ||
16f9d5f6 RH |
511 | /* |
512 | * Raise an EXCP_BKPT with the specified syndrome register value, | |
513 | * targeting the correct exception level for debug exceptions. | |
514 | */ | |
515 | void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome) | |
516 | { | |
517 | int debug_el = arm_debug_target_el(env); | |
518 | int cur_el = arm_current_el(env); | |
519 | ||
520 | /* FSR will only be used if the debug target EL is AArch32. */ | |
521 | env->exception.fsr = arm_debug_exception_fsr(env); | |
522 | /* | |
523 | * FAR is UNKNOWN: clear vaddress to avoid potentially exposing | |
524 | * values to the guest that it shouldn't be able to see at its | |
525 | * exception/security level. | |
526 | */ | |
527 | env->exception.vaddress = 0; | |
528 | /* | |
529 | * Other kinds of architectural debug exception are ignored if | |
530 | * they target an exception level below the current one (in QEMU | |
531 | * this is checked by arm_generate_debug_exceptions()). Breakpoint | |
532 | * instructions are special because they always generate an exception | |
533 | * to somewhere: if they can't go to the configured debug exception | |
534 | * level they are taken to the current exception level. | |
535 | */ | |
536 | if (debug_el < cur_el) { | |
537 | debug_el = cur_el; | |
538 | } | |
539 | raise_exception(env, EXCP_BKPT, syndrome, debug_el); | |
540 | } | |
541 | ||
f0d7c205 RH |
542 | void HELPER(exception_swstep)(CPUARMState *env, uint32_t syndrome) |
543 | { | |
04eacf6e | 544 | raise_exception_debug(env, EXCP_UDEF, syndrome); |
f0d7c205 RH |
545 | } |
546 | ||
2059ec75 FR |
547 | void hw_watchpoint_update(ARMCPU *cpu, int n) |
548 | { | |
549 | CPUARMState *env = &cpu->env; | |
550 | vaddr len = 0; | |
551 | vaddr wvr = env->cp15.dbgwvr[n]; | |
552 | uint64_t wcr = env->cp15.dbgwcr[n]; | |
553 | int mask; | |
554 | int flags = BP_CPU | BP_STOP_BEFORE_ACCESS; | |
555 | ||
556 | if (env->cpu_watchpoint[n]) { | |
557 | cpu_watchpoint_remove_by_ref(CPU(cpu), env->cpu_watchpoint[n]); | |
558 | env->cpu_watchpoint[n] = NULL; | |
559 | } | |
560 | ||
561 | if (!FIELD_EX64(wcr, DBGWCR, E)) { | |
562 | /* E bit clear : watchpoint disabled */ | |
563 | return; | |
564 | } | |
565 | ||
566 | switch (FIELD_EX64(wcr, DBGWCR, LSC)) { | |
567 | case 0: | |
568 | /* LSC 00 is reserved and must behave as if the wp is disabled */ | |
569 | return; | |
570 | case 1: | |
571 | flags |= BP_MEM_READ; | |
572 | break; | |
573 | case 2: | |
574 | flags |= BP_MEM_WRITE; | |
575 | break; | |
576 | case 3: | |
577 | flags |= BP_MEM_ACCESS; | |
578 | break; | |
579 | } | |
580 | ||
581 | /* | |
582 | * Attempts to use both MASK and BAS fields simultaneously are | |
583 | * CONSTRAINED UNPREDICTABLE; we opt to ignore BAS in this case, | |
584 | * thus generating a watchpoint for every byte in the masked region. | |
585 | */ | |
586 | mask = FIELD_EX64(wcr, DBGWCR, MASK); | |
587 | if (mask == 1 || mask == 2) { | |
588 | /* | |
589 | * Reserved values of MASK; we must act as if the mask value was | |
590 | * some non-reserved value, or as if the watchpoint were disabled. | |
591 | * We choose the latter. | |
592 | */ | |
593 | return; | |
594 | } else if (mask) { | |
595 | /* Watchpoint covers an aligned area up to 2GB in size */ | |
596 | len = 1ULL << mask; | |
597 | /* | |
598 | * If masked bits in WVR are not zero it's CONSTRAINED UNPREDICTABLE | |
599 | * whether the watchpoint fires when the unmasked bits match; we opt | |
600 | * to generate the exceptions. | |
601 | */ | |
602 | wvr &= ~(len - 1); | |
603 | } else { | |
604 | /* Watchpoint covers bytes defined by the byte address select bits */ | |
605 | int bas = FIELD_EX64(wcr, DBGWCR, BAS); | |
606 | int basstart; | |
607 | ||
608 | if (extract64(wvr, 2, 1)) { | |
609 | /* | |
610 | * Deprecated case of an only 4-aligned address. BAS[7:4] are | |
611 | * ignored, and BAS[3:0] define which bytes to watch. | |
612 | */ | |
613 | bas &= 0xf; | |
614 | } | |
615 | ||
616 | if (bas == 0) { | |
617 | /* This must act as if the watchpoint is disabled */ | |
618 | return; | |
619 | } | |
620 | ||
621 | /* | |
622 | * The BAS bits are supposed to be programmed to indicate a contiguous | |
623 | * range of bytes. Otherwise it is CONSTRAINED UNPREDICTABLE whether | |
624 | * we fire for each byte in the word/doubleword addressed by the WVR. | |
625 | * We choose to ignore any non-zero bits after the first range of 1s. | |
626 | */ | |
627 | basstart = ctz32(bas); | |
628 | len = cto32(bas >> basstart); | |
629 | wvr += basstart; | |
630 | } | |
631 | ||
632 | cpu_watchpoint_insert(CPU(cpu), wvr, len, flags, | |
633 | &env->cpu_watchpoint[n]); | |
634 | } | |
635 | ||
636 | void hw_watchpoint_update_all(ARMCPU *cpu) | |
637 | { | |
638 | int i; | |
639 | CPUARMState *env = &cpu->env; | |
640 | ||
641 | /* | |
642 | * Completely clear out existing QEMU watchpoints and our array, to | |
643 | * avoid possible stale entries following migration load. | |
644 | */ | |
645 | cpu_watchpoint_remove_all(CPU(cpu), BP_CPU); | |
646 | memset(env->cpu_watchpoint, 0, sizeof(env->cpu_watchpoint)); | |
647 | ||
648 | for (i = 0; i < ARRAY_SIZE(cpu->env.cpu_watchpoint); i++) { | |
649 | hw_watchpoint_update(cpu, i); | |
650 | } | |
651 | } | |
652 | ||
653 | void hw_breakpoint_update(ARMCPU *cpu, int n) | |
654 | { | |
655 | CPUARMState *env = &cpu->env; | |
656 | uint64_t bvr = env->cp15.dbgbvr[n]; | |
657 | uint64_t bcr = env->cp15.dbgbcr[n]; | |
658 | vaddr addr; | |
659 | int bt; | |
660 | int flags = BP_CPU; | |
661 | ||
662 | if (env->cpu_breakpoint[n]) { | |
663 | cpu_breakpoint_remove_by_ref(CPU(cpu), env->cpu_breakpoint[n]); | |
664 | env->cpu_breakpoint[n] = NULL; | |
665 | } | |
666 | ||
667 | if (!extract64(bcr, 0, 1)) { | |
668 | /* E bit clear : watchpoint disabled */ | |
669 | return; | |
670 | } | |
671 | ||
672 | bt = extract64(bcr, 20, 4); | |
673 | ||
674 | switch (bt) { | |
675 | case 4: /* unlinked address mismatch (reserved if AArch64) */ | |
676 | case 5: /* linked address mismatch (reserved if AArch64) */ | |
677 | qemu_log_mask(LOG_UNIMP, | |
678 | "arm: address mismatch breakpoint types not implemented\n"); | |
679 | return; | |
680 | case 0: /* unlinked address match */ | |
681 | case 1: /* linked address match */ | |
682 | { | |
683 | /* | |
684 | * Bits [1:0] are RES0. | |
685 | * | |
686 | * It is IMPLEMENTATION DEFINED whether bits [63:49] | |
687 | * ([63:53] for FEAT_LVA) are hardwired to a copy of the sign bit | |
688 | * of the VA field ([48] or [52] for FEAT_LVA), or whether the | |
689 | * value is read as written. It is CONSTRAINED UNPREDICTABLE | |
690 | * whether the RESS bits are ignored when comparing an address. | |
691 | * Therefore we are allowed to compare the entire register, which | |
692 | * lets us avoid considering whether FEAT_LVA is actually enabled. | |
693 | * | |
694 | * The BAS field is used to allow setting breakpoints on 16-bit | |
695 | * wide instructions; it is CONSTRAINED UNPREDICTABLE whether | |
696 | * a bp will fire if the addresses covered by the bp and the addresses | |
697 | * covered by the insn overlap but the insn doesn't start at the | |
698 | * start of the bp address range. We choose to require the insn and | |
699 | * the bp to have the same address. The constraints on writing to | |
700 | * BAS enforced in dbgbcr_write mean we have only four cases: | |
701 | * 0b0000 => no breakpoint | |
702 | * 0b0011 => breakpoint on addr | |
703 | * 0b1100 => breakpoint on addr + 2 | |
704 | * 0b1111 => breakpoint on addr | |
705 | * See also figure D2-3 in the v8 ARM ARM (DDI0487A.c). | |
706 | */ | |
707 | int bas = extract64(bcr, 5, 4); | |
708 | addr = bvr & ~3ULL; | |
709 | if (bas == 0) { | |
710 | return; | |
711 | } | |
712 | if (bas == 0xc) { | |
713 | addr += 2; | |
714 | } | |
715 | break; | |
716 | } | |
717 | case 2: /* unlinked context ID match */ | |
718 | case 8: /* unlinked VMID match (reserved if no EL2) */ | |
719 | case 10: /* unlinked context ID and VMID match (reserved if no EL2) */ | |
720 | qemu_log_mask(LOG_UNIMP, | |
721 | "arm: unlinked context breakpoint types not implemented\n"); | |
722 | return; | |
723 | case 9: /* linked VMID match (reserved if no EL2) */ | |
724 | case 11: /* linked context ID and VMID match (reserved if no EL2) */ | |
725 | case 3: /* linked context ID match */ | |
726 | default: | |
727 | /* | |
728 | * We must generate no events for Linked context matches (unless | |
729 | * they are linked to by some other bp/wp, which is handled in | |
730 | * updates for the linking bp/wp). We choose to also generate no events | |
731 | * for reserved values. | |
732 | */ | |
733 | return; | |
734 | } | |
735 | ||
736 | cpu_breakpoint_insert(CPU(cpu), addr, flags, &env->cpu_breakpoint[n]); | |
737 | } | |
738 | ||
739 | void hw_breakpoint_update_all(ARMCPU *cpu) | |
740 | { | |
741 | int i; | |
742 | CPUARMState *env = &cpu->env; | |
743 | ||
744 | /* | |
745 | * Completely clear out existing QEMU breakpoints and our array, to | |
746 | * avoid possible stale entries following migration load. | |
747 | */ | |
748 | cpu_breakpoint_remove_all(CPU(cpu), BP_CPU); | |
749 | memset(env->cpu_breakpoint, 0, sizeof(env->cpu_breakpoint)); | |
750 | ||
751 | for (i = 0; i < ARRAY_SIZE(cpu->env.cpu_breakpoint); i++) { | |
752 | hw_breakpoint_update(cpu, i); | |
753 | } | |
754 | } | |
755 | ||
756 | #if !defined(CONFIG_USER_ONLY) | |
757 | ||
758 | vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len) | |
759 | { | |
760 | ARMCPU *cpu = ARM_CPU(cs); | |
761 | CPUARMState *env = &cpu->env; | |
762 | ||
763 | /* | |
764 | * In BE32 system mode, target memory is stored byteswapped (on a | |
765 | * little-endian host system), and by the time we reach here (via an | |
766 | * opcode helper) the addresses of subword accesses have been adjusted | |
767 | * to account for that, which means that watchpoints will not match. | |
768 | * Undo the adjustment here. | |
769 | */ | |
770 | if (arm_sctlr_b(env)) { | |
771 | if (len == 1) { | |
772 | addr ^= 3; | |
773 | } else if (len == 2) { | |
774 | addr ^= 2; | |
775 | } | |
776 | } | |
777 | ||
778 | return addr; | |
779 | } | |
780 | ||
781 | #endif /* !CONFIG_USER_ONLY */ | |
782 | #endif /* CONFIG_TCG */ | |
783 | ||
f43ee493 PM |
784 | /* |
785 | * Check for traps to "powerdown debug" registers, which are controlled | |
786 | * by MDCR.TDOSA | |
787 | */ | |
788 | static CPAccessResult access_tdosa(CPUARMState *env, const ARMCPRegInfo *ri, | |
789 | bool isread) | |
790 | { | |
791 | int el = arm_current_el(env); | |
792 | uint64_t mdcr_el2 = arm_mdcr_el2_eff(env); | |
793 | bool mdcr_el2_tdosa = (mdcr_el2 & MDCR_TDOSA) || (mdcr_el2 & MDCR_TDE) || | |
794 | (arm_hcr_el2_eff(env) & HCR_TGE); | |
795 | ||
796 | if (el < 2 && mdcr_el2_tdosa) { | |
797 | return CP_ACCESS_TRAP_EL2; | |
798 | } | |
799 | if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDOSA)) { | |
800 | return CP_ACCESS_TRAP_EL3; | |
801 | } | |
802 | return CP_ACCESS_OK; | |
803 | } | |
804 | ||
805 | /* | |
806 | * Check for traps to "debug ROM" registers, which are controlled | |
807 | * by MDCR_EL2.TDRA for EL2 but by the more general MDCR_EL3.TDA for EL3. | |
808 | */ | |
809 | static CPAccessResult access_tdra(CPUARMState *env, const ARMCPRegInfo *ri, | |
810 | bool isread) | |
811 | { | |
812 | int el = arm_current_el(env); | |
813 | uint64_t mdcr_el2 = arm_mdcr_el2_eff(env); | |
814 | bool mdcr_el2_tdra = (mdcr_el2 & MDCR_TDRA) || (mdcr_el2 & MDCR_TDE) || | |
815 | (arm_hcr_el2_eff(env) & HCR_TGE); | |
816 | ||
817 | if (el < 2 && mdcr_el2_tdra) { | |
818 | return CP_ACCESS_TRAP_EL2; | |
819 | } | |
820 | if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDA)) { | |
821 | return CP_ACCESS_TRAP_EL3; | |
822 | } | |
823 | return CP_ACCESS_OK; | |
824 | } | |
825 | ||
826 | /* | |
827 | * Check for traps to general debug registers, which are controlled | |
828 | * by MDCR_EL2.TDA for EL2 and MDCR_EL3.TDA for EL3. | |
829 | */ | |
830 | static CPAccessResult access_tda(CPUARMState *env, const ARMCPRegInfo *ri, | |
831 | bool isread) | |
832 | { | |
833 | int el = arm_current_el(env); | |
834 | uint64_t mdcr_el2 = arm_mdcr_el2_eff(env); | |
835 | bool mdcr_el2_tda = (mdcr_el2 & MDCR_TDA) || (mdcr_el2 & MDCR_TDE) || | |
836 | (arm_hcr_el2_eff(env) & HCR_TGE); | |
837 | ||
838 | if (el < 2 && mdcr_el2_tda) { | |
839 | return CP_ACCESS_TRAP_EL2; | |
840 | } | |
841 | if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDA)) { | |
842 | return CP_ACCESS_TRAP_EL3; | |
843 | } | |
844 | return CP_ACCESS_OK; | |
845 | } | |
846 | ||
1748ef03 PM |
847 | /* |
848 | * Check for traps to Debug Comms Channel registers. If FEAT_FGT | |
849 | * is implemented then these are controlled by MDCR_EL2.TDCC for | |
850 | * EL2 and MDCR_EL3.TDCC for EL3. They are also controlled by | |
851 | * the general debug access trap bits MDCR_EL2.TDA and MDCR_EL3.TDA. | |
f9ac7788 | 852 | * For EL0, they are also controlled by MDSCR_EL1.TDCC. |
1748ef03 PM |
853 | */ |
854 | static CPAccessResult access_tdcc(CPUARMState *env, const ARMCPRegInfo *ri, | |
855 | bool isread) | |
856 | { | |
857 | int el = arm_current_el(env); | |
858 | uint64_t mdcr_el2 = arm_mdcr_el2_eff(env); | |
f9ac7788 | 859 | bool mdscr_el1_tdcc = extract32(env->cp15.mdscr_el1, 12, 1); |
1748ef03 PM |
860 | bool mdcr_el2_tda = (mdcr_el2 & MDCR_TDA) || (mdcr_el2 & MDCR_TDE) || |
861 | (arm_hcr_el2_eff(env) & HCR_TGE); | |
862 | bool mdcr_el2_tdcc = cpu_isar_feature(aa64_fgt, env_archcpu(env)) && | |
863 | (mdcr_el2 & MDCR_TDCC); | |
864 | bool mdcr_el3_tdcc = cpu_isar_feature(aa64_fgt, env_archcpu(env)) && | |
865 | (env->cp15.mdcr_el3 & MDCR_TDCC); | |
866 | ||
f9ac7788 ZS |
867 | if (el < 1 && mdscr_el1_tdcc) { |
868 | return CP_ACCESS_TRAP; | |
869 | } | |
1748ef03 PM |
870 | if (el < 2 && (mdcr_el2_tda || mdcr_el2_tdcc)) { |
871 | return CP_ACCESS_TRAP_EL2; | |
872 | } | |
873 | if (el < 3 && ((env->cp15.mdcr_el3 & MDCR_TDA) || mdcr_el3_tdcc)) { | |
874 | return CP_ACCESS_TRAP_EL3; | |
875 | } | |
876 | return CP_ACCESS_OK; | |
877 | } | |
878 | ||
f43ee493 PM |
879 | static void oslar_write(CPUARMState *env, const ARMCPRegInfo *ri, |
880 | uint64_t value) | |
881 | { | |
882 | /* | |
883 | * Writes to OSLAR_EL1 may update the OS lock status, which can be | |
884 | * read via a bit in OSLSR_EL1. | |
885 | */ | |
886 | int oslock; | |
887 | ||
888 | if (ri->state == ARM_CP_STATE_AA32) { | |
889 | oslock = (value == 0xC5ACCE55); | |
890 | } else { | |
891 | oslock = value & 1; | |
892 | } | |
893 | ||
894 | env->cp15.oslsr_el1 = deposit32(env->cp15.oslsr_el1, 1, 1, oslock); | |
895 | } | |
896 | ||
f94a6df5 PM |
897 | static void osdlr_write(CPUARMState *env, const ARMCPRegInfo *ri, |
898 | uint64_t value) | |
899 | { | |
900 | ARMCPU *cpu = env_archcpu(env); | |
901 | /* | |
902 | * Only defined bit is bit 0 (DLK); if Feat_DoubleLock is not | |
903 | * implemented this is RAZ/WI. | |
904 | */ | |
905 | if(arm_feature(env, ARM_FEATURE_AARCH64) | |
906 | ? cpu_isar_feature(aa64_doublelock, cpu) | |
907 | : cpu_isar_feature(aa32_doublelock, cpu)) { | |
908 | env->cp15.osdlr_el1 = value & 1; | |
909 | } | |
910 | } | |
911 | ||
5fc83f11 EI |
912 | static void dbgclaimset_write(CPUARMState *env, const ARMCPRegInfo *ri, |
913 | uint64_t value) | |
914 | { | |
915 | env->cp15.dbgclaim |= (value & 0xFF); | |
916 | } | |
917 | ||
918 | static uint64_t dbgclaimset_read(CPUARMState *env, const ARMCPRegInfo *ri) | |
919 | { | |
920 | /* CLAIM bits are RAO */ | |
921 | return 0xFF; | |
922 | } | |
923 | ||
924 | static void dbgclaimclr_write(CPUARMState *env, const ARMCPRegInfo *ri, | |
925 | uint64_t value) | |
926 | { | |
927 | env->cp15.dbgclaim &= ~(value & 0xFF); | |
928 | } | |
929 | ||
f43ee493 PM |
930 | static const ARMCPRegInfo debug_cp_reginfo[] = { |
931 | /* | |
932 | * DBGDRAR, DBGDSAR: always RAZ since we don't implement memory mapped | |
933 | * debug components. The AArch64 version of DBGDRAR is named MDRAR_EL1; | |
934 | * unlike DBGDRAR it is never accessible from EL0. | |
935 | * DBGDSAR is deprecated and must RAZ from v8 anyway, so it has no AArch64 | |
936 | * accessor. | |
937 | */ | |
938 | { .name = "DBGDRAR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 0, | |
939 | .access = PL0_R, .accessfn = access_tdra, | |
f654387b | 940 | .type = ARM_CP_CONST | ARM_CP_NO_GDB, .resetvalue = 0 }, |
f43ee493 PM |
941 | { .name = "MDRAR_EL1", .state = ARM_CP_STATE_AA64, |
942 | .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 0, | |
943 | .access = PL1_R, .accessfn = access_tdra, | |
944 | .type = ARM_CP_CONST, .resetvalue = 0 }, | |
945 | { .name = "DBGDSAR", .cp = 14, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0, | |
946 | .access = PL0_R, .accessfn = access_tdra, | |
f654387b | 947 | .type = ARM_CP_CONST | ARM_CP_NO_GDB, .resetvalue = 0 }, |
f43ee493 PM |
948 | /* Monitor debug system control register; the 32-bit alias is DBGDSCRext. */ |
949 | { .name = "MDSCR_EL1", .state = ARM_CP_STATE_BOTH, | |
950 | .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 2, | |
951 | .access = PL1_RW, .accessfn = access_tda, | |
917b1405 | 952 | .fgt = FGT_MDSCR_EL1, |
f43ee493 PM |
953 | .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1), |
954 | .resetvalue = 0 }, | |
955 | /* | |
956 | * MDCCSR_EL0[30:29] map to EDSCR[30:29]. Simply RAZ as the external | |
957 | * Debug Communication Channel is not implemented. | |
958 | */ | |
959 | { .name = "MDCCSR_EL0", .state = ARM_CP_STATE_AA64, | |
960 | .opc0 = 2, .opc1 = 3, .crn = 0, .crm = 1, .opc2 = 0, | |
1748ef03 | 961 | .access = PL0_R, .accessfn = access_tdcc, |
f43ee493 | 962 | .type = ARM_CP_CONST, .resetvalue = 0 }, |
b3aa2f21 | 963 | /* |
70a670ca AB |
964 | * These registers belong to the Debug Communications Channel, |
965 | * which is not implemented. However we implement RAZ/WI behaviour | |
966 | * with trapping to prevent spurious SIGILLs if the guest OS does | |
967 | * access them as the support cannot be probed for. | |
b3aa2f21 EI |
968 | */ |
969 | { .name = "OSDTRRX_EL1", .state = ARM_CP_STATE_BOTH, .cp = 14, | |
970 | .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 2, | |
1748ef03 | 971 | .access = PL1_RW, .accessfn = access_tdcc, |
b3aa2f21 EI |
972 | .type = ARM_CP_CONST, .resetvalue = 0 }, |
973 | { .name = "OSDTRTX_EL1", .state = ARM_CP_STATE_BOTH, .cp = 14, | |
974 | .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2, | |
1748ef03 | 975 | .access = PL1_RW, .accessfn = access_tdcc, |
b3aa2f21 | 976 | .type = ARM_CP_CONST, .resetvalue = 0 }, |
70a670ca AB |
977 | /* DBGDTRTX_EL0/DBGDTRRX_EL0 depend on direction */ |
978 | { .name = "DBGDTR_EL0", .state = ARM_CP_STATE_BOTH, .cp = 14, | |
979 | .opc0 = 2, .opc1 = 3, .crn = 0, .crm = 5, .opc2 = 0, | |
980 | .access = PL0_RW, .accessfn = access_tdcc, | |
981 | .type = ARM_CP_CONST, .resetvalue = 0 }, | |
b3aa2f21 EI |
982 | /* |
983 | * OSECCR_EL1 provides a mechanism for an operating system | |
984 | * to access the contents of EDECCR. EDECCR is not implemented though, | |
985 | * as is the rest of external device mechanism. | |
986 | */ | |
987 | { .name = "OSECCR_EL1", .state = ARM_CP_STATE_BOTH, .cp = 14, | |
988 | .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 2, | |
989 | .access = PL1_RW, .accessfn = access_tda, | |
917b1405 | 990 | .fgt = FGT_OSECCR_EL1, |
b3aa2f21 | 991 | .type = ARM_CP_CONST, .resetvalue = 0 }, |
f43ee493 PM |
992 | /* |
993 | * DBGDSCRint[15,12,5:2] map to MDSCR_EL1[15,12,5:2]. Map all bits as | |
994 | * it is unlikely a guest will care. | |
995 | * We don't implement the configurable EL0 access. | |
996 | */ | |
997 | { .name = "DBGDSCRint", .state = ARM_CP_STATE_AA32, | |
998 | .cp = 14, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0, | |
999 | .type = ARM_CP_ALIAS, | |
1000 | .access = PL1_R, .accessfn = access_tda, | |
1001 | .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1), }, | |
1002 | { .name = "OSLAR_EL1", .state = ARM_CP_STATE_BOTH, | |
1003 | .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 4, | |
1004 | .access = PL1_W, .type = ARM_CP_NO_RAW, | |
1005 | .accessfn = access_tdosa, | |
917b1405 | 1006 | .fgt = FGT_OSLAR_EL1, |
f43ee493 PM |
1007 | .writefn = oslar_write }, |
1008 | { .name = "OSLSR_EL1", .state = ARM_CP_STATE_BOTH, | |
1009 | .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 4, | |
1010 | .access = PL1_R, .resetvalue = 10, | |
1011 | .accessfn = access_tdosa, | |
917b1405 | 1012 | .fgt = FGT_OSLSR_EL1, |
f43ee493 PM |
1013 | .fieldoffset = offsetof(CPUARMState, cp15.oslsr_el1) }, |
1014 | /* Dummy OSDLR_EL1: 32-bit Linux will read this */ | |
1015 | { .name = "OSDLR_EL1", .state = ARM_CP_STATE_BOTH, | |
1016 | .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 3, .opc2 = 4, | |
1017 | .access = PL1_RW, .accessfn = access_tdosa, | |
917b1405 | 1018 | .fgt = FGT_OSDLR_EL1, |
f94a6df5 PM |
1019 | .writefn = osdlr_write, |
1020 | .fieldoffset = offsetof(CPUARMState, cp15.osdlr_el1) }, | |
f43ee493 PM |
1021 | /* |
1022 | * Dummy DBGVCR: Linux wants to clear this on startup, but we don't | |
1023 | * implement vector catch debug events yet. | |
1024 | */ | |
1025 | { .name = "DBGVCR", | |
1026 | .cp = 14, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0, | |
1027 | .access = PL1_RW, .accessfn = access_tda, | |
1028 | .type = ARM_CP_NOP }, | |
f43ee493 PM |
1029 | /* |
1030 | * Dummy MDCCINT_EL1, since we don't implement the Debug Communications | |
1031 | * Channel but Linux may try to access this register. The 32-bit | |
1032 | * alias is DBGDCCINT. | |
1033 | */ | |
1034 | { .name = "MDCCINT_EL1", .state = ARM_CP_STATE_BOTH, | |
1035 | .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0, | |
1748ef03 | 1036 | .access = PL1_RW, .accessfn = access_tdcc, |
f43ee493 | 1037 | .type = ARM_CP_NOP }, |
5fc83f11 EI |
1038 | /* |
1039 | * Dummy DBGCLAIM registers. | |
1040 | * "The architecture does not define any functionality for the CLAIM tag bits.", | |
1041 | * so we only keep the raw bits | |
1042 | */ | |
1043 | { .name = "DBGCLAIMSET_EL1", .state = ARM_CP_STATE_BOTH, | |
1044 | .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 6, | |
1045 | .type = ARM_CP_ALIAS, | |
1046 | .access = PL1_RW, .accessfn = access_tda, | |
917b1405 | 1047 | .fgt = FGT_DBGCLAIM, |
5fc83f11 EI |
1048 | .writefn = dbgclaimset_write, .readfn = dbgclaimset_read }, |
1049 | { .name = "DBGCLAIMCLR_EL1", .state = ARM_CP_STATE_BOTH, | |
1050 | .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 6, | |
1051 | .access = PL1_RW, .accessfn = access_tda, | |
917b1405 | 1052 | .fgt = FGT_DBGCLAIM, |
5fc83f11 EI |
1053 | .writefn = dbgclaimclr_write, .raw_writefn = raw_write, |
1054 | .fieldoffset = offsetof(CPUARMState, cp15.dbgclaim) }, | |
f43ee493 PM |
1055 | }; |
1056 | ||
c36a0d57 PM |
1057 | /* These are present only when EL1 supports AArch32 */ |
1058 | static const ARMCPRegInfo debug_aa32_el1_reginfo[] = { | |
1059 | /* | |
1060 | * Dummy DBGVCR32_EL2 (which is only for a 64-bit hypervisor | |
1061 | * to save and restore a 32-bit guest's DBGVCR) | |
1062 | */ | |
1063 | { .name = "DBGVCR32_EL2", .state = ARM_CP_STATE_AA64, | |
1064 | .opc0 = 2, .opc1 = 4, .crn = 0, .crm = 7, .opc2 = 0, | |
1065 | .access = PL2_RW, .accessfn = access_tda, | |
1066 | .type = ARM_CP_NOP | ARM_CP_EL3_NO_EL2_KEEP }, | |
1067 | }; | |
1068 | ||
f43ee493 PM |
1069 | static const ARMCPRegInfo debug_lpae_cp_reginfo[] = { |
1070 | /* 64 bit access versions of the (dummy) debug registers */ | |
1071 | { .name = "DBGDRAR", .cp = 14, .crm = 1, .opc1 = 0, | |
f654387b AB |
1072 | .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_64BIT | ARM_CP_NO_GDB, |
1073 | .resetvalue = 0 }, | |
f43ee493 | 1074 | { .name = "DBGDSAR", .cp = 14, .crm = 2, .opc1 = 0, |
f654387b AB |
1075 | .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_64BIT | ARM_CP_NO_GDB, |
1076 | .resetvalue = 0 }, | |
f43ee493 PM |
1077 | }; |
1078 | ||
f43ee493 PM |
1079 | static void dbgwvr_write(CPUARMState *env, const ARMCPRegInfo *ri, |
1080 | uint64_t value) | |
1081 | { | |
1082 | ARMCPU *cpu = env_archcpu(env); | |
1083 | int i = ri->crm; | |
1084 | ||
1085 | /* | |
1086 | * Bits [1:0] are RES0. | |
1087 | * | |
1088 | * It is IMPLEMENTATION DEFINED whether [63:49] ([63:53] with FEAT_LVA) | |
1089 | * are hardwired to the value of bit [48] ([52] with FEAT_LVA), or if | |
1090 | * they contain the value written. It is CONSTRAINED UNPREDICTABLE | |
1091 | * whether the RESS bits are ignored when comparing an address. | |
1092 | * | |
1093 | * Therefore we are allowed to compare the entire register, which lets | |
1094 | * us avoid considering whether or not FEAT_LVA is actually enabled. | |
1095 | */ | |
1096 | value &= ~3ULL; | |
1097 | ||
1098 | raw_write(env, ri, value); | |
fa05d1ab FR |
1099 | if (tcg_enabled()) { |
1100 | hw_watchpoint_update(cpu, i); | |
1101 | } | |
f43ee493 PM |
1102 | } |
1103 | ||
1104 | static void dbgwcr_write(CPUARMState *env, const ARMCPRegInfo *ri, | |
1105 | uint64_t value) | |
1106 | { | |
1107 | ARMCPU *cpu = env_archcpu(env); | |
1108 | int i = ri->crm; | |
1109 | ||
1110 | raw_write(env, ri, value); | |
fa05d1ab FR |
1111 | if (tcg_enabled()) { |
1112 | hw_watchpoint_update(cpu, i); | |
1113 | } | |
f43ee493 PM |
1114 | } |
1115 | ||
f43ee493 PM |
1116 | static void dbgbvr_write(CPUARMState *env, const ARMCPRegInfo *ri, |
1117 | uint64_t value) | |
1118 | { | |
1119 | ARMCPU *cpu = env_archcpu(env); | |
1120 | int i = ri->crm; | |
1121 | ||
1122 | raw_write(env, ri, value); | |
fa05d1ab FR |
1123 | if (tcg_enabled()) { |
1124 | hw_breakpoint_update(cpu, i); | |
1125 | } | |
f43ee493 PM |
1126 | } |
1127 | ||
1128 | static void dbgbcr_write(CPUARMState *env, const ARMCPRegInfo *ri, | |
1129 | uint64_t value) | |
1130 | { | |
1131 | ARMCPU *cpu = env_archcpu(env); | |
1132 | int i = ri->crm; | |
1133 | ||
1134 | /* | |
1135 | * BAS[3] is a read-only copy of BAS[2], and BAS[1] a read-only | |
1136 | * copy of BAS[0]. | |
1137 | */ | |
1138 | value = deposit64(value, 6, 1, extract64(value, 5, 1)); | |
1139 | value = deposit64(value, 8, 1, extract64(value, 7, 1)); | |
1140 | ||
1141 | raw_write(env, ri, value); | |
fa05d1ab FR |
1142 | if (tcg_enabled()) { |
1143 | hw_breakpoint_update(cpu, i); | |
1144 | } | |
f43ee493 PM |
1145 | } |
1146 | ||
1147 | void define_debug_regs(ARMCPU *cpu) | |
1148 | { | |
1149 | /* | |
1150 | * Define v7 and v8 architectural debug registers. | |
1151 | * These are just dummy implementations for now. | |
1152 | */ | |
1153 | int i; | |
1154 | int wrps, brps, ctx_cmps; | |
1155 | ||
1156 | /* | |
1157 | * The Arm ARM says DBGDIDR is optional and deprecated if EL1 cannot | |
1158 | * use AArch32. Given that bit 15 is RES1, if the value is 0 then | |
1159 | * the register must not exist for this cpu. | |
1160 | */ | |
1161 | if (cpu->isar.dbgdidr != 0) { | |
1162 | ARMCPRegInfo dbgdidr = { | |
1163 | .name = "DBGDIDR", .cp = 14, .crn = 0, .crm = 0, | |
1164 | .opc1 = 0, .opc2 = 0, | |
1165 | .access = PL0_R, .accessfn = access_tda, | |
1166 | .type = ARM_CP_CONST, .resetvalue = cpu->isar.dbgdidr, | |
1167 | }; | |
1168 | define_one_arm_cp_reg(cpu, &dbgdidr); | |
1169 | } | |
1170 | ||
09754ca8 PM |
1171 | /* |
1172 | * DBGDEVID is present in the v7 debug architecture if | |
1173 | * DBGDIDR.DEVID_imp is 1 (bit 15); from v7.1 and on it is | |
1174 | * mandatory (and bit 15 is RES1). DBGDEVID1 and DBGDEVID2 exist | |
1175 | * from v7.1 of the debug architecture. Because no fields have yet | |
1176 | * been defined in DBGDEVID2 (and quite possibly none will ever | |
1177 | * be) we don't define an ARMISARegisters field for it. | |
1178 | * These registers exist only if EL1 can use AArch32, but that | |
1179 | * happens naturally because they are only PL1 accessible anyway. | |
1180 | */ | |
1181 | if (extract32(cpu->isar.dbgdidr, 15, 1)) { | |
1182 | ARMCPRegInfo dbgdevid = { | |
1183 | .name = "DBGDEVID", | |
1184 | .cp = 14, .opc1 = 0, .crn = 7, .opc2 = 2, .crn = 7, | |
1185 | .access = PL1_R, .accessfn = access_tda, | |
1186 | .type = ARM_CP_CONST, .resetvalue = cpu->isar.dbgdevid, | |
1187 | }; | |
1188 | define_one_arm_cp_reg(cpu, &dbgdevid); | |
1189 | } | |
1190 | if (cpu_isar_feature(aa32_debugv7p1, cpu)) { | |
1191 | ARMCPRegInfo dbgdevid12[] = { | |
1192 | { | |
1193 | .name = "DBGDEVID1", | |
1194 | .cp = 14, .opc1 = 0, .crn = 7, .opc2 = 1, .crn = 7, | |
1195 | .access = PL1_R, .accessfn = access_tda, | |
1196 | .type = ARM_CP_CONST, .resetvalue = cpu->isar.dbgdevid1, | |
1197 | }, { | |
1198 | .name = "DBGDEVID2", | |
1199 | .cp = 14, .opc1 = 0, .crn = 7, .opc2 = 0, .crn = 7, | |
1200 | .access = PL1_R, .accessfn = access_tda, | |
1201 | .type = ARM_CP_CONST, .resetvalue = 0, | |
1202 | }, | |
1203 | }; | |
1204 | define_arm_cp_regs(cpu, dbgdevid12); | |
1205 | } | |
1206 | ||
f43ee493 PM |
1207 | brps = arm_num_brps(cpu); |
1208 | wrps = arm_num_wrps(cpu); | |
1209 | ctx_cmps = arm_num_ctx_cmps(cpu); | |
1210 | ||
1211 | assert(ctx_cmps <= brps); | |
1212 | ||
1213 | define_arm_cp_regs(cpu, debug_cp_reginfo); | |
c36a0d57 PM |
1214 | if (cpu_isar_feature(aa64_aa32_el1, cpu)) { |
1215 | define_arm_cp_regs(cpu, debug_aa32_el1_reginfo); | |
1216 | } | |
f43ee493 PM |
1217 | |
1218 | if (arm_feature(&cpu->env, ARM_FEATURE_LPAE)) { | |
1219 | define_arm_cp_regs(cpu, debug_lpae_cp_reginfo); | |
1220 | } | |
1221 | ||
1222 | for (i = 0; i < brps; i++) { | |
1223 | char *dbgbvr_el1_name = g_strdup_printf("DBGBVR%d_EL1", i); | |
1224 | char *dbgbcr_el1_name = g_strdup_printf("DBGBCR%d_EL1", i); | |
1225 | ARMCPRegInfo dbgregs[] = { | |
1226 | { .name = dbgbvr_el1_name, .state = ARM_CP_STATE_BOTH, | |
1227 | .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 4, | |
1228 | .access = PL1_RW, .accessfn = access_tda, | |
917b1405 | 1229 | .fgt = FGT_DBGBVRN_EL1, |
f43ee493 PM |
1230 | .fieldoffset = offsetof(CPUARMState, cp15.dbgbvr[i]), |
1231 | .writefn = dbgbvr_write, .raw_writefn = raw_write | |
1232 | }, | |
1233 | { .name = dbgbcr_el1_name, .state = ARM_CP_STATE_BOTH, | |
1234 | .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 5, | |
1235 | .access = PL1_RW, .accessfn = access_tda, | |
917b1405 | 1236 | .fgt = FGT_DBGBCRN_EL1, |
f43ee493 PM |
1237 | .fieldoffset = offsetof(CPUARMState, cp15.dbgbcr[i]), |
1238 | .writefn = dbgbcr_write, .raw_writefn = raw_write | |
1239 | }, | |
1240 | }; | |
1241 | define_arm_cp_regs(cpu, dbgregs); | |
1242 | g_free(dbgbvr_el1_name); | |
1243 | g_free(dbgbcr_el1_name); | |
1244 | } | |
1245 | ||
1246 | for (i = 0; i < wrps; i++) { | |
1247 | char *dbgwvr_el1_name = g_strdup_printf("DBGWVR%d_EL1", i); | |
1248 | char *dbgwcr_el1_name = g_strdup_printf("DBGWCR%d_EL1", i); | |
1249 | ARMCPRegInfo dbgregs[] = { | |
1250 | { .name = dbgwvr_el1_name, .state = ARM_CP_STATE_BOTH, | |
1251 | .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 6, | |
1252 | .access = PL1_RW, .accessfn = access_tda, | |
917b1405 | 1253 | .fgt = FGT_DBGWVRN_EL1, |
f43ee493 PM |
1254 | .fieldoffset = offsetof(CPUARMState, cp15.dbgwvr[i]), |
1255 | .writefn = dbgwvr_write, .raw_writefn = raw_write | |
1256 | }, | |
1257 | { .name = dbgwcr_el1_name, .state = ARM_CP_STATE_BOTH, | |
1258 | .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 7, | |
1259 | .access = PL1_RW, .accessfn = access_tda, | |
917b1405 | 1260 | .fgt = FGT_DBGWCRN_EL1, |
f43ee493 PM |
1261 | .fieldoffset = offsetof(CPUARMState, cp15.dbgwcr[i]), |
1262 | .writefn = dbgwcr_write, .raw_writefn = raw_write | |
1263 | }, | |
1264 | }; | |
1265 | define_arm_cp_regs(cpu, dbgregs); | |
1266 | g_free(dbgwvr_el1_name); | |
1267 | g_free(dbgwcr_el1_name); | |
1268 | } | |
1269 | } |